Cry Once! How regularly scheduled security assessments and employee security awareness training is worth every dime spent!

Woman at computer

Cry Once! How regularly scheduled security assessments and investing in employee security awareness training is worth every dime spent!

Recently I was investigating a cyber-attack on behalf of a client to determine both the source of the attack and mitigation efforts that needed to be implemented in order to contain any further or future damage. 

The investigation led to a contractor working with my client’s firm. 

The contractor, a SMB with 50 or so employees, had a breach on their network that they had not detected.  When I met with the principles to inform them of my findings and the nature of the breach the conversation went something like this:

Me: Your email network has been breached and is currently being used by hackers to send spoofed (fake) messages.

Owner: That’s impossible, how could that happen?

Me: Most likely through employee an employee.

Owner (in a strained voice): My employees would never do that! They have been with me for years. They are very loyal.

Me: The breach, most likely was not intentional, but a matter of employee error.

Owner (tears starting to flow): We have a tech company that takes care of all that stuff for us, you know . . . email security.

Me: Your employees emails are on the dark web, along with their passwords.  I also have the dates they appeared on the dark web.  Most likely more than one account has been hijacked.

Owner (tears still flowing): This is too much. What do suggest that we do?

Me: Get a complete security assessment including a comprehensive vulnerability assessment so that a remediation plan can be formulated.

Owner: That sounds expensive.  I think I will get an opinion from my tech guy and see what he says.

Me: Okay. Does he specialize in cyber-security?

Owner: I don’t know, but he will know best because he installed our computer system and network.

Me: I would be happy to me with your person to discuss a plan of action.

Owner: No, I will take care of it.

Me:  Thank you very much for your time., if I can be of any service let me know.

Epilogue:

The tech contractor changed everyone’s passwords but never did a full security assessment or deployed policies that would prevent future problems.  The organization at risk suffered a $50,000+ breach later that year.

In today’s digital age, cyber security should be a top priority for organizations of all sizes.

In spite of significant investments in cyber security measures, many organizations remain vulnerable to cyber-attacks due to the actions of their own employees. This is because employees can unwittingly put organizations at risk by engaging in risky online behaviors or failing to follow proper cyber security protocols. In this blog post, we will explore some of the ways in which employees can put organizations at risk for cyber criminals.

Phishing Scams: One of the most common ways employees put organizations at risk is by falling prey to phishing scams. Cyber criminals use sophisticated techniques to create emails that appear to be from legitimate sources, such as banks or other trusted organizations. These emails often contain links or attachments that, when clicked on, can compromise an organization’s network or data. Employees who are not trained to identify phishing emails or who are not vigilant in their email habits can inadvertently put their organization at risk.

Weak Passwords: Employees who use weak or easily guessable passwords can also put their organization at risk. Cyber criminals can use automated tools to try different password combinations until they find one that works. Once they gain access to an employee’s account, they can often use this as a foothold to access other parts of the organization’s network. Employees who use weak passwords or who reuse passwords across multiple accounts can inadvertently provide cyber criminals with an easy way into their organization’s data.

Unsecured Devices: Many employees now use personal devices, such as laptops or smartphones, to access their organization’s network or data. However, if these devices are not properly secured, they can provide cyber criminals with a direct path into an organization’s network. For example, an employee who accesses their organization’s network using an unsecured public Wi-Fi network could inadvertently allow a cyber-criminal to intercept sensitive data.

Social Engineering: Social engineering involves the use of psychological manipulation to trick employees into divulging sensitive information or taking actions that can compromise an organization’s security. For example, a cyber-criminal might pose as an IT support technician and ask an employee to provide their login credentials. Employees who are not trained to recognize social engineering tactics can put their organization at risk by inadvertently divulging sensitive information.

Lack of Awareness: Finally, employees who are not aware of the risks of cyber-attacks can put their organization at risk. Many employees do not realize that their actions online can have real-world consequences for their organization. For example, an employee who downloads a seemingly harmless app on their work computer could inadvertently introduce malware into the organization’s network.

In conclusion, employees can unwittingly put organizations at risk for cyber criminals by engaging in risky online behaviors or failing to follow proper cyber security protocols. To mitigate these risks, organizations must invest in comprehensive cyber security training programs for their employees. By educating employees about the risks of cyber-attacks and providing them with the tools and knowledge they need to protect their organization’s data and network, organizations can significantly reduce their risk of falling victim to cyber criminals.

Does your organization qualify for a complimentary security assessment?

We are offering complimentary security assessments for qualifying organizations now through August 30, 2023!

Burton F. Maben

https://www.creativecybermanagment.com

burton.maben@ccyman.com

Leave a Comment

Your email address will not be published. Required fields are marked *